Lunar CMS 3.3 Unauthenticated Remote Command Execution Exploit

Summary

Lunar CMS is a freely distributable open source content
management system written for use on servers running the ever so
popular PHP5 & MySQL.

Description

Lunar CMS suffers from an unauthenticated arbitrary command
execution vulnerability. The issue is caused due to the improper
verification of elfinder's upload/create/rename function in the file
manager. This can be exploited to execute arbitrary PHP code by creating
or uploading a malicious PHP script file that will be stored in '/files'
directory.